Building a Self-Defending Border Shane Baldacchino, Solutions Architect, AWS Marcus Santos, Solutions Architect, AWS www.cloudsec.com #cloudsec
Building A Defending Borders Protect Your Web-facing Workloads With AWS Security Services SHANE BALDACCHINO 2018 MARCUS SANTOS 2018
Modern Business Challenges Increased Frequency Low Capital Investment Rules and Regulations Disparate Disconnected Systems
Threats facing online assets? There Are Many
OWASP Style Attacks Critical Web Application Security Risks
OWASP - Injection User Input Website Database User = "Shane" Pass = "XXXX" SELECT * FROM Users WHERE Name = "Shane" AND Pass = "XXXX" SELECT Statement
OWASP - Injection Malicious Actor Website Database User = " or ""=" Pass = " or ""=" SELECT * FROM Users WHERE Name ="" "Shane" or ""="" AND Pass = ="" "XXXX" or ""="" SELECT Statement
OWASP Style Attacks Critical Web Application Security Risks Hacktivists & Crime Syndicates External Threats
Botnets And DDoS Malicious Actor Control Server Victim Website Bots
How are we fighting these threats today? We Use Controls
Expensive Lack Automation False Positives CapEx Heavy Over Provisioning License Locked Integration Challenges With DevSecOps Models Content Changes Often Require New Rules
Let s make this real.
The Snowy Unicorn Elevator Company N-Tier Architecture ERP and CRM Integration Quickly Growing Limited IT resources
Online Architecture Bastion Host Application Load Balancer Application Load Balancer Amazon Route 53 EC2 instances Auto Scaling Group EC2 instances MySQL DB Availability Zone A MySQL DB Availability Zone B
Kali Linux Designed For Penetration Testing and Security Auditing Contains Several Hundred Tools Available in AWS Marketplace
Architecture Of Attacks - Discovery
Architecture Of Attacks - Crawl
Architecture Of Attacks - OWASP
Architecture Of Attacks - DOS
Architecture Of Attacks - Brute Force
Demo The Snowy Unicorn Elevator Company 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
What s Wrong With Our Architecture? L7 Attacks Traditional security controls were ineffective Scale, Cost & Reputation ASG Elasticity Network Bandwidth Visibility Flew under the radar
We Need A Smarter Approach And New Tools
AWS Shield Standard Protection Advanced Protection Available to ALL AWS customers at No Additional Cost Paid service that provides additional, comprehensive protections from large and sophisticated attacks
Botnets And DDoS Malicious Actor Control Server Victim Website Bots
Botnets And DDoS Malicious Actor Control Server Victim Website Bots
AWS WAF Comprehensive API Integration Leverage IP Reputation Lists Mitigate OWASP Vulnerabilities
OWASP - Injection Malicious Actor Website Database User = " or ""=" Pass = " or ""=" SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""="" SELECT Statement
OWASP - Injection Malicious Actor Website Database User = " or ""=" Pass = " or ""=" SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""="" SELECT Statement
Self Defending Borders Putting the Dev in Security (DevSecOps)
Application Requests (Static + Dynamic) Application Load Balancer Amazon CloudFront AWS Shield OWASP Top 10 Protection HTTP Flood Protection AWS WAF IP Whitelist / Blacklist
Application Requests (Static + Dynamic) Access Logs Application Load Balancer Amazon CloudFront AWS Shield Amazon S3 Bucket OWASP Top 10 Protection HTTP Flood Protection AWS WAF IP Whitelist / Blacklist
Application Requests (Static + Dynamic) Access Logs Application Load Balancer Amazon CloudFront AWS Shield Honey Pot Endpoint Amazon S3 Bucket Amazon API Gateway OWASP Top 10 Protection HTTP Flood Protection AWS WAF IP Whitelist / Blacklist
Tight-knit API Driven Platform Amazon SQS Amazon CloudWatch AWS Step Functions Amazon SNS Fully managed message queue Monitoring for cloud resources Build distributed applications Highly scalable push messaging Amazon DynamoDB Amazon API Gateway Amazon S3 AWS Lambda NoSQL data store Create API s at scale Simple, durable object store Run code without servers
Application Requests (Static + Dynamic) Access Logs Application Load Balancer Amazon CloudFront AWS Shield Honey Pot Endpoint Amazon S3 Bucket Amazon API Gateway Bad Bot & Scraper Protection AWS WAF OWASP Top 10 Protection HTTP Flood Protection IP Whitelist / Blacklist AWS Lambda Access Handler AWS Step Functions
AWS Lambda Build and run applications without thinking about servers Availability and scalability is managed by AWS Not paying for idle time
AWS Step Functions Start FirstState ChoiceState FirstMatchState SecondMatchState DefaultState NextState End
Security State Machine Start Detected Attack New Attack Type Manual Approval Known Attack Blacklist Router Update WAF BadBot ACL Update EC2 Guest Firewall Update WAF Scraper ACL End
Security State Machine Start Detected Attack New Attack Type Manual Approval Known Attack Blacklist Router Update WAF BadBot ACL Update EC2 Guest Firewall Update WAF Scraper ACL End
Security State Machine Start Detected Attack New Attack Type Manual Approval Known Attack Blacklist Router Update WAF BadBot ACL Update EC2 Guest Firewall Update WAF Scraper ACL End
Security State Machine Start Detected Attack New Attack Type Manual Approval Known Attack Blacklist Router N function N function N function Update WAF BadBot ACL Update EC2 Guest Firewall Update WAF Scraper ACL End
Demo The Snowy Unicorn Elevator Company AWS WAF AWS Lambda Amazon API Gateway AWS Step Functions Amazon Dynamo DB 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Application Requests (Static + Dynamic) Access Logs Application Load Balancer Amazon CloudFront AWS Shield Honey Pot Endpoint Amazon S3 Bucket Amazon API Gateway AWS Guard Duty Bad Bot & Scraper Protection AWS WAF OWASP Top 10 Protection HTTP Flood Protection IP Whitelist / Blacklist AWS Lambda Access Handler AWS Step Functions Amazon CloudWatch Known Attacker Protection AWS Lambda Guard Duty and 3 rd Party IP Lists
AWS Guard Duty Generate findings through VPC Log Stream Queries to questionable domains AWS CloudTrail history of AWS calls and user activity
Automating Remediation Detection Report Act Amazon GuardDuty Amazon CloudWatch AWS Platform CloudWatch Event Amazon SNS Amazon SQS AWS Step Functions AWS Lambda
Demo The Snowy Unicorn Elevator Company AWS WAF Amazon API Gateway AWS Lambda AWS Guard Duty AWS Step Functions Amazon Dynamo DB 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Session Recap AWS WAF Amazon API Gateway AWS Lambda AWS Guard Duty AWS Step Functions Amazon Dynamo DB
How To Get Started AWS Lambda Product Details - https://aws.amazon.com/lambda/ Tutorial - https://amzn.to/2ijn4bm AWS Automation WAF / Lambda Automation - http://amzn.to/2gblvoz Step Functions Workflow - http://amzn.to/2hkpouf AWS Step Functions Product Details - https://aws.amazon.com/step-functions/ Tutorial - https://amzn.to/2reskif
Thank you! Shane Baldacchino balshane@amazon.com https://www.linkedin.com/in/shanebaldacchino/ Marcus Santos sntosms@amazon.com https://www.linkedin.com/in/marcus-santos/